CVE-2026-1312
Publication date 3 February 2026
Last updated 4 February 2026
Ubuntu priority
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | 25.10 questing |
Fixed 3:5.2.4-1ubuntu2.3
|
| 24.04 LTS noble |
Fixed 3:4.2.11-1ubuntu1.14
|
|
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes |
Notes
mdeslaur
python-django 3.2.x in jammy and earlier versions support passing raw column aliases to order_by(), so fixing this issue would change behaviour and possibly introduce a regression in existing applications. Marking as ignored for jammy and earlier.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8009-1
- Django vulnerabilities
- 3 February 2026